MCP-backed Terraform assistant with ephemeral-values compliance.
Project description
Terraform Guardrail MCP
Terraform Guardrail MCP is a Python-based MCP server + CLI + web UI that turns Terraform governance into a fast, repeatable workflow. It gives AI assistants and platform teams real context from provider metadata and adds compliance intelligence so every plan, module, and refactor is safer by default. The result is fewer failures, cleaner state, and a shorter path from idea to production.
This project is built for teams shipping infrastructure at scale who need speed without sacrificing security. It eliminates secret leakage, validates schema usage, and produces human-readable reports that make decisions obvious and auditable. Live app: https://terraform-guardrail.streamlit.app/
What it does
- MCP server that exposes provider metadata and compliance checks
- CLI for scanning Terraform configs and state for sensitive leaks
- Minimal web UI for quick scans and reports
- Rules engine focused on ephemeral values, write-only arguments, and secret hygiene
Architecture
Mermaid diagrams are available on GitHub and in the Wiki:
- GitHub README: https://github.com/Huzefaaa2/terraform-guardrail#architecture
- Wiki Diagrams: https://github.com/Huzefaaa2/terraform-guardrail/wiki/Diagrams
Scope
- Multi-file scanning with summaries and CSV export
- Secret hygiene checks across
.tf,.tfvars, and.tfstate - Schema-aware validation with Terraform CLI integration
- Provider metadata lookup via Terraform Registry
- MCP tools for scan, metadata, and snippet generation
- Streamlit and web UI for instant reporting
Feature Matrix
| Area | CLI | Web UI / Streamlit |
|---|---|---|
Config scan (.tf, .tfvars, .hcl) |
Yes | Yes |
State leak scan (.tfstate) |
Yes | Yes |
| Schema-aware validation | Yes | Yes |
| CSV export | No | Yes |
| Provider metadata | Yes | Yes |
| Snippet generation | Yes | No |
| Multi-file scan | Yes (directory) | Yes (upload up to 10) |
| Human-readable report | Yes | Yes |
Quickstart
python -m venv .venv
source .venv/bin/activate
pip install -e "[dev]"
# CLI scan
terraform-guardrail scan examples
# snippet generation
terraform-guardrail generate aws aws_s3_bucket --name demo
# MCP server (stdio)
terraform-guardrail mcp
# Web UI
terraform-guardrail web
Install from PyPI
pip install terraform-guardrail
PyPI: https://pypi.org/project/terraform-guardrail/ (latest: 0.2.4)
CLI examples
# scan a directory
terraform-guardrail scan ./examples --format json
# scan state files too
terraform-guardrail scan ./examples --state ./examples/sample.tfstate
# enable schema-aware validation (requires terraform CLI + initialized workspace)
terraform-guardrail scan ./examples --schema
Web UI
Visit http://127.0.0.1:8000 and upload a Terraform file to view a compliance report.
Streamlit App
streamlit run streamlit_app.py
Live app: https://terraform-guardrail.streamlit.app/
Streamlit Cloud deployment
- Push this repo to GitHub.
- Create a new Streamlit Cloud app.
- Set the main file path to
streamlit_app.py. - Deploy (Streamlit will install from
requirements.txt).
Release Links
- PyPI: https://pypi.org/project/terraform-guardrail/
- GitHub Releases: https://github.com/Huzefaaa2/terraform-guardrail/releases
Deployment Guide
See docs/streamlit_cloud.md for a detailed Streamlit Cloud walkthrough.
Release Checklist
- Update version in
pyproject.toml. - Update
RELEASE_NOTES.mdandCHANGELOG.md. - Commit changes and push to
main. - Create and push a tag:
git tag -a vX.Y.Z -m "vX.Y.Z"thengit push origin vX.Y.Z. - Confirm GitHub Actions release workflow completed successfully.
Changelog Automation
This repo uses git-cliff to generate CHANGELOG.md.
git cliff -o CHANGELOG.md
Or run:
make changelog
Release Helpers
make release-dry VERSION=0.2.1
make version-bump VERSION=0.2.1
MCP tools (current)
scan_terraform: Run compliance checks over a path and optional state file.get_provider_metadata: Fetch provider metadata from Terraform Registry (AWS + Azure).generate_snippet: Generate Terraform snippets for common AWS/Azure resources.
Roadmap
- Schema-aware code generation using provider schemas
fixcommand to apply safe rewrites for ephemeral values- Multi-environment policies and OPA-compatible output
- Stack-aware orchestration and drift detection
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file terraform_guardrail-0.2.5.tar.gz.
File metadata
- Download URL: terraform_guardrail-0.2.5.tar.gz
- Upload date:
- Size: 15.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
21ddb71a545237bdf72a73c480209aa03b6cb019d6fd83dcf40ef72e0b3ab071
|
|
| MD5 |
0a841cb4be96ea796a07aab671120cb8
|
|
| BLAKE2b-256 |
6ebe271e1b1681af34feefbe2a0450e9973bc4d4b5f9d6d2a10e7a2c4ceb11af
|
File details
Details for the file terraform_guardrail-0.2.5-py3-none-any.whl.
File metadata
- Download URL: terraform_guardrail-0.2.5-py3-none-any.whl
- Upload date:
- Size: 16.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ee8872c0edbf6e92664435e50069b47c653660d31deac42acd67972572cb064c
|
|
| MD5 |
24164e50942fc281640496dcc3cb580d
|
|
| BLAKE2b-256 |
a1245e9969bd3b2bb4333a1ec00c25a7e0572796d85d3c4eb226f551b242a0a7
|
